Executive Summary: International data transfers

The essential knowledge on transferring personal data from the European Economic Area to other countries.

By using web analytics tools you transmit data to the third parties providing the service. If the third-party provider is located outside the European Economic Area (EEA), the operator must comply with the regulatory framework for international data transfers under the General Data Protection Regulation (GDPR).

The transfer of personal data to third parties outside the EEA can be based solely on user consent if the third country, where the data recipients are located, has an adequacy decision by the EU Commission, i.e. confirmation of an adequate level of data protection. If such is not given, user consent is not a sufficient legal basis and the transfer needs an alternative justification.

Following the invalidation of the EU-U.S. Privacy Shield by the CJEU Schrems II ruling, practically the only remaining option for the data transfer to third-party providers based in the U.S., such as Google Analytics, is to rely on standard contractual clauses.

However, according to the ruling even if standard contractual clauses are in place, you must provide “supplementary measures” to protect against access by U.S. authorities and to ensure effective legal protection for data subjects against unauthorized access.

According to the guidelines of the European Data Protection Board (EDPB), pseudonymization is an effective supplementary measure as long as the singling-out or re-identification of individual users is not possible.

For the UK, no longer a member of the EU, different rules may apply.

Please be aware that this only serves informational purposes and does not constitute legal advice.

Mehr Information

Blog
News

Facebook Tracking declared unlawful under GDPR by the Austrian DPA

In a recently published decision, the Austria DPA finds Facebook's tracking practices violate GDPR and Schrems II.

Blog

Switzerland's new data protection law: How to become compliant

On September 1, Swiss companies must have switched to privacy-compliant tracking. JENTIS offers the most effective solution for maximum data protection and data quality.

Blog
News

EU Parliament: Why MEPs rejected the Data Privacy Framework in committee

Our analysis of the opinions voiced on the Data Privacy Framework and what they mean for the implementation process.